Mentors

• Start page
• Package list
• Maintainer
• Reviews
• Sponsors
• Q & A
• Contact

 oidc-agent (4.0.2-1) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0
   * Add -z now to LDFLAGS
   * Update to upstream version 4.0.2

 oidc-agent (4.0.0-6) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0
   * Add -z now to LDFLAGS

 oidc-agent (4.0.0-7) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0
   * Add -z now to LDFLAGS

 oidc-agent (4.0.0-6) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0
   * Add -z now to LDFLAGS

 oidc-agent (4.0.0-5) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0

 oidc-agent (4.0.0-4) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install
   * Use debian packages for cjson and list
   * Support the latest upstream 4.0.0

 oidc-agent (4.0.0-3) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
   * Changed how the symmetric key is derived in ipc communication to be able
     to support ipc encryption eith golang lib.
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13
   * Add install files for dh_install

 oidc-agent (4.0.0-3) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13

 oidc-agent (4.0.0-3) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Non-maintainer upload
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13

 oidc-agent (4.0.0-3) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Update dependency versions
 .
   [ Marcus hardt ]
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Optionally prints the device code url QR-code directly to the terminal
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file
   * Separate packages between graphical and non graphical environments
   * Use debhelper-compat-version 13

 oidc-agent (4.0.0-2) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.
   * Added oidc-agent-server a oidc-agent version that can run as a central
     server.
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata
   * Fix watch file

 oidc-agent (4.0.0-2) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.
   * Added oidc-agent-server a oidc-agent version that can run as a central
     server.
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)
   * Add upstream/metadata

 oidc-agent (4.0.0-1) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.
   * Added oidc-agent-server a oidc-agent version that can run as a central
     server.
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)

 oidc-agent (4.0.0-1) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.
   * Added oidc-agent-server a oidc-agent version that can run as a central
     server.
   * Added encryption to liboidc-agent (now depends on libsodium).
 .
   [ Marcus Hardt ]
   * Move to new debian packaging 3.0 (quilt)

 oidc-agent (4.0.0) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.

 oidc-agent (4.0.0) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.

 oidc-agent (4.0.0) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.

 oidc-agent (4.0.0) UNRELEASED; urgency=medium
 .
   [ Marcus hardt ]
   * Trying to fix debuild messages
   * Updated dependency versions
 .
   [ Gabriel Zachmann ]
   * Fixes dependencies versions
   * adds man pages
 .
   [ Gabriel Zachmann ]
   * Support for Authorization Code Flow
   * Support for Device Flow
   * Support for user defined scopes
   * Couple of minor improvements
   * Couple of bugfixes
 .
   [ Gabriel Zachmann ]
   * Support for providing the device authorization endpoint manually
 .
   [ Gabriel Zachmann ]
   * Removed https://perun.elixir-czech.cz/oidc/ from issuer.config.
 .
   [ Marcus Hardt ]
   * Add IAM of DEEP to issuer.conf
   * Also accept libcurl4 as a dependency
 .
   [ Gabriel Zachmann ]
   * Adds documentation notes on expiring refresh tokens
 .
   [ Gabriel Zachmann ]
   * Adds possibility to build the C-API as static library
   * oidc-token now uses this library
 .
   [ Gabriel Zachmann ]
   * fixed segmentation fault for an unchecked file existence
 .
   [ Gabriel Zachmann ]
   * Fixes static library
   * Includes Refactoring
   * Hides client secret
   * Adds optional client name identifier when using dynamic registration
   * Optionally prints the device code url QR-code directly to the terminal
   * Validation for redirect url format
   * Fixes some typos
   * Backward-compatible API-change: ipc access token requests now also contain
     the associated issuer; also the C-API includes it
 .
   [ Gabriel Zachmann ]
   * Replaces JSON Parser Library
   * On default only one configuration file for client and account config is
     generated.
   * json and list dependencies are now included as source files not as a static
     library
   * oidc-agent can now be started with a default lifetime for account
     configurations
   * a lifetime can be specified when using oidc-add
   * Better no_color support.
   * Memory encryption: Encrypting refresh_token and client credentials when
     not used.
   * oidc-agent can now be locked. This includes additional encryption for access
     tokens, refresh tokens and client credentials.
   * Supporting seccomp (can be turned off) to restrict system calls
   * Automatic call of authorization url can be turned off
   * Adds support for bash-completion
   * Changes to command line arguments: no longer using space delimited strings
   * Removed the feature to list the currently loaded account configurations
   * Token Request can now include an application hint
   * Token Request Response now includes expires_at
   * Unloading accounts does not require a password anymore
   * Added option to unload all loaded accounts.
   * Improvements to the memory management
   * Fixed a bug where automatic account generation failed after successful
     dynamic client registration.
   * Improved UX: checking if oidc-add can connect to agent before prompting
     for encryption password
 .
   [ Gabriel Zachmann ]
   * Fixes a bug related to merging json objects
   * Improves UI: oidc-gen now does not prompt for refresh token. Use the --rt
     option insted.
   * Improves UI: oidc-gen only prompts for credentials if using the password
     flow
   * Improved flow internal handling of dynamic client registration
   * Fixes a missing seccomp syscall
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that disabled seccomp for oidc-add and oidc-token
   * Internal Improvements to bash-completion
   * Fixed a bug where dyn client reg would fail if the preselected scope was
     modified.
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that autoremoved also accounts with infinite lifetime when an
     account with limited lifetime expired
   * Added missing seccomp syscalls
   * Fixed a bug that broke bash completion
   * Fixed possible segmentation faults
   * Disabled seccomp on default
   * Disables Tracing: Cannot attach using ptrace
 .
   [ Gabriel Zachmann ]
   * Now using base64 encoding instead of hex encoding for all new encryptions
   * Updated the config file format used for all new encryptions; this includes
     the version it was generated with
   * Added possibility to update a config file to the newest file format /
     encryption
   * Improved the en/decryption, so that all parameters needed are now saved
     (linked to the file format)
   * Fixed seg faults
   * Allows usage of cjson package instead of included source files
   * Fixed double response from oidc-agent for check request if agent locked
   * Changes to the libsodium depencency: required newer version, now included
     as static library
   * Now providing a shared library and not only a static library
   * The shared library is provided in the liboidc-agent2 package, the needed
     development files in the liboidc-agent-dev package
   * Fixed invalid read in stringToJSON
   * Fixed possible double frees when the already set value is passed to a
     setter
   * Fixed missing authentication for device code access token requests
   * Now allowing using OIDPs that support the device flow, but don't advertise
     it by using the oidc-gen --dae option
   * Improved UX: checking if oidc-gen can connect to agent before prompting
     the user for any information
   * Support for IPC encryption: oidc-add and oidc-gen now only communicate in
     an encrypted way with oidc-agent
   * Fixed a bug where the grant_type parameter was falsly included in the auth
     code url
   * Improved the account listing output
 .
   [ Gabriel Zachmann ]
   * Fixed a bug causing problems with the device flow
   * Fixed memory leaks
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which errors during token revocation were ignored
   * Fixed a bug displaying a (wrong) error message when token revocation
     succeeded and the server answered with an empty response when using
     encrypted ipc communication
   * Fixed a bug where the browser would not redirect to the webserver when the
     chosen port was to high
   * Fixed a sementation fault if the config tmp file did not contain the
     account shortname
   * Fixed broken bash-completion when oidcdir did not yet exist
 .
   [ Gabriel Zachmann ]
   * Fixed build error if bin dir not existed
   * Fixed a problem with unity OP where access token did not have any scope
   * Fixed strange additional parameters in the auth code exchange request
   * Fixed superfluous error logs when checking if a string is a json object
   * Changed encoding for memory encryption from hex to base64
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which oidc-agent would return a wrong already loaded
     account config when generating a new account config
   * Improved error handling when no authorization flow possible
   * Fixed a seg fault when dynamic client registration failed
   * Fixed a seg fault in memory decryption if account config does not have a
     client secret (public client)
   * Added support for PKCE
   * Added support for public clients
   * Fixed a bug where it was possible to display issuer urls that only differ
     in the trayling slash twice when using oidc-gen
   * Enforce usage of openid and offline_access scope in all cases
 .
   [ Gabriel Zachmann ]
   * Improve error message when necessary scopes cannot be registered during
     dynamic client registration
   * If necessary scopes cannot be registered during dynamic client
     registration, a public client is tried
   * Fixed memory leaks
   * Allow updating of public clients by using the -m and --pub option
 .
   [ Gabriel Zachmann ]
   * Added public client for aai.egi.eu
 .
   [ Gabriel Zachmann ]
   * Added environment variable to manually specify the oidc-agent config
     directory location
   * Added option to manually specify the used redirect port during dynamic
     client registration
 .
   [ Gabriel Zachmann ]
   * Fixed file locations when using a custom oidcdir (through env var) and the
     path value did not have a trailing slash
   * Fixed a possible seg fault
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that made it impossible to use the device flow
 .
   [ Gabriel Zachmann ]
   * Removed an unnecessary client_id from post data, that caused problems with
     iam when using the device flow.
 .
   [ Gabriel Zachmann ]
   * Changed the fundamental architecture by introducing a new proxy daemon
   * Now an account config can be updated by oidc-agent, i.e. when a provider
     issues a new refresh token
   * oidc-agent can manage the encryption password: store encrypted in memory,
     use keyring, use user provided command, or prompt the user
   * Added autoload possibility. If an application requests an access token for a
     not loaded config, it is automatically loaded, if the user allows it.
   * Added possibility that each usage of an account configuration has to be
     confirmed by the user. Can be turned on by using oidc-add -c or oidc-agent
     -c
   * Changed the oidc-agent console module flag from -c to -d
   * Changed the default port for redirect urls when using dynamic client
     registration from 2912 to 4242
   * Added encryption for the communciation between agent and its httpserver
   * Added possibility to complete account generation with the url a user is
     redirected to
   * Fixed possible seg faults
 .
   [ Gabriel Zachmann ]
   * Added support for custom uri scheme redirect uris
   * Added support for doing the auth code flow without a webserver
   * Added public clients for HBP, Elixir
   * Added support for XSession integration
   * Various bug fixes and other improvements
   * Allow -u to encrypt unencrypted files, not only reencrypting already
     encrypted files
   * When using oidc-gen --delete the account config now does not have to be
     loaded. The refresh token can also be revoked if not loaded.
   * Added --reauthenticate option to oidc-gen to easily update the refresh
     token without changing any other metadata
   * En-/Decryption password prompts can be done noninteractive using the
     --pw-cmd option
   * Improved documentation
   * Fixed some memory leaks
   * Fixed a seg fault when locking an agent that has a public client loaded
   * Fixed other possible seg faults
   * Improved usability of oidc-gen and other enhancements
 .
   [ Gabriel Zachmann ]
   * Fixed the course of a bug that would not utilize the cached AT when an
     application requests an AT with an empty scope value. This fix might have
     also fixed other unknown bugs.
   * Improved the user prompt message for autoload when the application does
     not send an application_hint
   * Improved error handling when refresh token wrong
   * Fix a bug related to the confirm feature: after a request is declined it
     was impossible to get an access token for this configuration without
     reloading the configuration.
 .
   [ Gabriel Zachmann ]
   * Changed the type of the UNIX domain socket used for communciating with
     oidc-agent from SOCK_SEQPACKET to SOCK_STREAM
   * This allows forwarding of the oidc-agent through ssh
   * Added getAccessToken2 to liboidc-agent
   * Access tokens can now be requested by issuer url; the suer can set an
     default account config for each issuer
   * Added the correlating functions to liboidc-agent
   * oidc-token can now also be used with issuer urls
 .
   [ Gabriel Zachmann]
   * Added the elixir public client to the list of public clients
 .
   [ Gabriel Zachmann ]
   * Fixed a segfault if the pubclients.conf file does not exist
   * Fixed segfault if the issuer.config in the oidc-agent directory doesn't
     exist and an AT is requested by issuer.
   * Fixed behavior of oidc-gen -p when the passed file does not exist.
 .
   [ Gabriel Zachmann ]
   * Support on MacOS
 .
   [ Gabriel Zachmann ]
   * Fixed a bug that did not save the information from dynamic client
     registration (did not save merged data).
   * Updated the cJSON library
 .
   [ Gabriel Zachmann ]
   * Fixed a bug due to which no error message was displayed when trying to
     load an account configuration and the oidc-agent directory was not
     accessible for oidc-add.
   * This bug also caused the agent to crash if oidc-token was used to load
     this account configuration on the fly and the oidc-agent directory was
     not accessible for oidc-agent.
 .
   [ Gabriel Zachmann ]
   * Add possibility to allow applications that run under another user access
     to the agent by using the --with-group option
 .
   [ Marcus Hardt ]
   * Add debhelper-token
   * Remove build-essential from Build-Depends
   * Improve clean target to fix "source-is-missing" lintian warnings
 .
   [ Gabriel Zachmann ]
   * Add possibility to avoid custom uri scheme (useful when running on a
     remote server)
   * Fixed bug with doubled communication when not all required scopes could be
     registered
   * Now displaying warning message when client regstration could not register
     all requested scopes.
 .
   [ Gabriel Zachmann ]
   * Add public clients for deep and extreme datacloud
 .
   [ Gabriel Zachmann ]
   * Add public clients for iam-demo.cloud.cnaf.infn.it
 .
   [ Gabriel Zachmann ]
   * Fixed bug that might cause problems with providers that do not support
     PKCE. No longer sending code_verifier on auth code exchange requests.
 .
   [ Gabriel Zachmann ]
   * Fixed some spelling errors.
   * Fix X11 settings only adjusted when the configuration file already exists.
   * Increased oidc-gen polling interval and duration.
   * oidc-gen now displays the scopes supported by the provider.
   * Scopes provided to oidc-gen are no longer intersected with the supported
     scopes.
 .
   [ Gabriel Zachmann ]
   * Improve RPM build
 .
   [ Gabriel Zachmann ]
   * Fix scope lookup not using cert path.
   * Exit oidc-gen when error during scope lookup.
   * Add option to oidc-token to specify name of calling application.
   * Add option to oidc-add to list currently loaded accounts.
   * Fix no-scheme option not working if first url is scheme url.
   * Add option to oidc-agent that allows log message printed to stderr.
   * Fix that some information is printed to stderr instead of stdout.
   * Fix scopes not set when using password flow.
   * Add support to request tokens with specific audience.
   * Add wlcg.cloud.cnaf.infn.it
   * Add public client for wlcg.cloud.cnaf.infn.it
   * Update cJSON library.
   * Add --id-token option to oidc-token to request an id-token from the
     agent.
   * Fix some minor bugs.
   * Add oidc-keychain to reuse oidc-agent across logins
 .
   [ Gabriel Zachmann ]
   * Remove dot files from oidc-add and oidc-gen -l
   * Add a header line for oidc-add -a
 .
   [ Gabriel Zachmann ]
   * Add aai-demo.egi.eu
   * Add public client for aai-demo.egi.eu
 .
   [ Gabriel Zachmann ]
   * Fix --pw-cmd not correctly working when output does not end with newline
     character
   * Fix duplicated output of oidc-agent when redirecting
   * Fix oidc-agent dies when client disconnects before agent can write back.
 .
   [ Gabriel Zachmann ]
   * Updated the issuer urls of HDF.
   * Fix bash completion of shortnames if $OIDC_CONFIG_DIR is used.
 .
   [ Gabriel Zachmann ]
   * Add possibility for force a new AT through oidc-token.
   * Add status command to oidc-agent to get information about the currently
     running agent.
   * Allow users to rename accounts.
   * Write temporary data to oidc-agent instead of tmp file.
   * Fix seg fault in oidc-gen issuer selection when selecting 0
   * Delete oidc client when deleting agent configuration.
   * Improved bash completion of oidc-gen short options.
   * Add --pw-file option to read decryption password from file
   * Improve password prompt on autoload.
   * On default cnid (oidc-gen) is set to the hostname; so the hostname is
     included in the client name.
   * oidc-gen is now completely non-interactive
   * Added several new options for passing information to oidc-gen
   * User can now choose between cli and gui prompts.
   * Fix bug where oidc-gen would use a public client instead of aborting when
     generating a account configuration with a shortname that is already
     loaded.
   * When the 'max' keyword is used for scopes and a public client is used,
     this now uses the maximum scopes for that public client, not the issuer.
   * Fixes a possible conflict between the application type 'web' and custom
     scheme redirect uris.
   * Update cJSON library.